IESG review DISCUSS on draft-ietf-radext-management-authroization-06.txt

["Dave Nelson" <d.b.nelson@comcast.net>]

[IESG Evaluation DISCUSS] from Tim Polk
 
> [Note that I am not requesting any changes at this time!  I am 
> interested in discussing this issue (with authors, chairs, and other
> ADs) to determine if it merits action...]
>
> The Management-Privilege-Level Attribute supports differentiated privilege
> levels denoted by integer values.  The specification notes that "specific
> access rights conferred by each value are implementation dependent".
>
> Almost inevitably, implementations begin by assigning values in ascending
> or descending order but find a need to assert a new privilege level in
> the middle at a later date.  That works fine with this specification, but
> product vendors sometimes make an assumption that this will be ordered.
>
> I wonder if a brief addition to the security considerations noting that
> vendors should not assume ordering for these values would be worthwhile?

We have proposed adding the following text to Section 5.4 of the draft, to
address a similar DISCUSS from Pasi Eronen:

     The mapping of integer values for this attribute to specific
     collections of management access rights or permissions on the NAS
     is vendor and implementation specific.  Such mapping is often a
     user configurable feature.  It's RECOMMENDED that greater numeric
     values imply greater privilege.  However, it would be a mistake
     to assume that this recommendation always holds.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>